Autoriteit Persoonsgegevens – Court Ruling (Netherlands, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court found that ABN AMRO Bank improperly shared a person's personal data with their former bankruptcy trustee after the bankruptcy was lifted. This ruling is significant because it highlights the importance of ensuring that sensitive information is only shared with authorized parties. Companies must be careful about who they share personal data with, especially after legal changes.
What happened
ABN AMRO Bank shared personal data with a former bankruptcy trustee after the trustee's authorization ended.
Who was affected
The individual whose personal data was shared without proper authorization.
What the authority found
The court determined that the bank unlawfully processed the individual's sensitive personal data by sharing it with the former trustee.
Why this matters
This ruling serves as a warning for businesses to verify the authority of individuals before sharing personal information, especially in sensitive situations like bankruptcy.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Due to a bankruptcy the data subject was represented by a bankruptcy trustee. The bankruptcy was lifted on 7 July 2022, ending the trustee’s authorization to represent the data subject. However, on 19 July 2022, an employee of a Dutch bank, ABN AMRO Bank (the controller), shared the data subject’s personal data with the former bankruptcy trustee of the data subject on the phone. The data subject lodged a complaint with the Dutch DPA (“Autoriteit Persoonsgegevens) for an unreported data breach by the controller (i.e. sharing his personal data with his former bankruptcy trustee). The controller admitted to the DPA that the bankruptcy trustee of the data subject should only have been informed that they were no longer appointed due to the discharge from bankruptcy of the data subject, and that therefore information of the data subject would not be shared anymore with them. The DPA interpreted the data subject's complaint as not directly referring to the data breach, but to the unlawful processing of sensitive personal data. To determine whether unlawful processing took place, further investigation would have been required. However, in this case, the DPA refrained from conducting further investigation. The DPA explained why it was not investigating the data subject’s complaint, referring to the [https://www.autoriteitpersoonsgegevens.nl/een-tip-of-klacht-indienen-bij-de-ap/behandeling-van-klachten-door-de-ap criteria on their website]. On their website the DPA states that to be efficient and effective, they have to make choices and therefore use the following criteria to determine whether the complaint qualifies for further investigation: the complaint is about a violation that is still ongoing, has a broader societal interest, there are no other proceedings pending, the complaint is specifically about a GDPR issue, and the subject of the complaint has not previously been investigated by the DPA. Taking into account the data subject's complaint, the DPA held that the a
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (10)
Other cases involving Autoriteit Persoonsgegevens in NL
Court Ruling
Details
About this data
Cite as: Cookie Fines. Autoriteit Persoonsgegevens - Netherlands (2024). Retrieved from cookiefines.eu
Last updated: